We’re a small software company with a web store (Magento 2) several Wordpress installs, and a helpdesk (Zammad), as well as custom desktop software we produce in-house. Our customers purchase access to some or all of the above, and we are beginning to feel real pain in helping customers figure out how to log into each system - they all have their own login procedure, they use different credentials, etc.
After investigating Keycloak, it appears to be an excellent tool for managing SSO to multiple different disparate systems like this, but after reading a LOT of the documentation and poking around on these forums, I’m still left with several questions. I’m hoping some of the experts here can chime in with some advice:
Can I integrate all my existing users into Keycloak without forcing them to create yet another new login? In other words, can I import all my customers (along with their login credentials) from Magento into Keycloak, then hook Magento up to Keycloak and use it to authenticate those users for Magento moving forward?
If I can import users from Magento, how do I deal with users who used different credentials in one system from another? For instance, we have some users who use different email addresses for our store and our learning portal (Wordpress install). How can I map the credentials we pull out of Magento to an existing user in a Wordpress installation?
Is it possible to authenticate and grant access to desktop software (not a web app) via Keycloak? Is the entire login/authentication process web-based? Are there any REST apis we could leverage?
Where can I look for an expert consultant for hire to assist with our implementation?
Lots of questions, here’s my view:
Step one: Apps that support SAML or OIDC - basically implementing SSO. These apps are usually web apps and they redirect the user to the IDP in case they need the user to authenticate.
Step two: Web apps that do not support SAML or OIDC - if it’s your own sources, modernize them. If it’s open source or closed source implementation you may want to put them behind an authenticating reverse proxy and select a reverse proxy that does SAML or OIDC. We did this with NGINX but this is still a bit ugly. Commercial reverse Proxies on the other hand claim to be a good IDP themselves.
Step three: non-web-apps. Have a look into the Cli for keycloak, the kcadmin scripts.
These use the rest api behind the scenes, so they should allow you to modify a desktop app in a similar way. Again if you don’t have the source of the app, many apps support Kerberos - and Keycloak does that as well. Windows based apps are an example.
Now regarding your existing accounts in all the apps: in general you will have to put the password into keycloak. So you need to communicate with users when onboarding their first app that they need to reset the password and send them to keycloak to do so. From the second app on its more a “now you use that password” and it will have sso.
Don’t mix this with federation- that’s an option for keycloak to have users log in on another idp (where they may have already their preferred password), for instance google.
Assuming I have tens of thousands of customers who already have a login to our store (Magento 2). The store has plugins to enable SAML or OIDC, but what I’m not super clear about is this: How will Magento correctly link up new Keycloak credentials for existing customers? Does it match email addresses?
In other words, let’s say I have a fictitious customer named Bob Smith. He bought something from us and used bob@smith.com as his purchase email address before we implemented Keycloak with our store. Now that we have Keycloak, he comes back to our store and tries to log in, which redirects him to the shiny new Keycloak login page, where he enters robert@smithfamily.com (a different email address). When Keycloak sends him back to the store with a fresh authentication, how does the store know that this is the same Bob Smith? Or does it at all?
Two things to understand: #1 since you have an existing user base you can use that to predilection the idp so that only the password is missing. The existing implementation may even give you the passwords in plain so you can prefill even these. #2 when the user returns from the idp he brings a token, it’s a simple data structure that contains some attributes like a userid- it may be the email address. The plug-in uses the userid to match an existing user. The token is signed so that the plug-in can verify the correctness and so can trust the token.
Thank you for the explanations! I’m sure it’s obvious I’m a complete noob to SSO, but have learned a ton over the last few days. I’ve set up a standalone Keycloak instance, and am working through figuring out how to get it set up with our existing store.
Are there any pro consultants available to hire if we need some one-on-one support?